OCaml CVE-2017-9772

  • Done
  • quality assurance status badge
Details
5 participants
  • Efraim Flashner
  • Julien Lepiller
  • Leo Famulari
  • Ludovic Courtès
  • zimoun
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 23 Jun 2017 18:41
(address . bug-guix@gnu.org)
20170623164150.GA15440@jasmine.lan
Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllNRM4ACgkQJkb6MLrK
fwjhIRAAsdaeVYrsb5UAgjHljirS/54G3lbCC8faD+apw3ZoxsVWFvBcHBYwxMZg
4IbwDh/jIqskd82j5ITMB7tYFrG9VJd9GFUcT7Wy5dG5IUC0/dnRmqlH+Lj6a29H
hW1TN8MjDPNwjoAgTr6cj8FTr7jGNe4W6Lxkj3uUsegR8YREMf4jwN7h0occ298L
htob0j/NXx6OajbjRE2dyav8/jSyZI+gX9RAAqSXnsUhnRLx0ey78dVyDUAWtfSC
jaTmTq6C/GQJY8QX/DJrHTgDoOZvtKmTdygZmrdxu5EXh64R0PmO2yMzax4cojhP
pL6f1CYB/799j8GCFMBhc6J/J2h1WX2m2JFf7U1OgrdFSda2b1/Ouv0szhFWJZPd
6zlH3BKbVSLxtCY1/DUZXnWMxzTcauQvVb7VHnCeTOd3nP+I2dpkGvUnLFi7BPv8
Vg+/bI8QAh0yvpPUn75gTGxftSIXOGJgVbBySHOy4AjItzRVL3nAom3kI8xImf7X
zkHF2RFwQeXlI6BKtkOqL6u3tR0VU0785HI7oApNFe68gzb86X5YrFmraKi/vcPf
EEB/XlWnHbZrVXnuT3uXgz3HZupXO4lo9+0T/lmM1E3yQqcqLvRFDUXsrGJBwSYB
IAGvEXzfpTIlMB+pXJzqZ4Vuhq0cIJ83opaqkRx01GMZvfk8OmI=
=UZ/E
-----END PGP SIGNATURE-----


E
E
Efraim Flashner wrote on 29 Jun 2017 21:17
(name . Leo Famulari)(address . leo@famulari.name)(address . 27463@debbugs.gnu.org)
20170629191741.GE1734@macbook42.flashner.co.il
On Fri, Jun 23, 2017 at 12:41:50PM -0400, Leo Famulari wrote:
Toggle quote (5 lines)
> Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:
>
> http://seclists.org/oss-sec/2017/q2/575
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772

According to Debian¹ only Ocaml-4.04.[01] is affected


--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAllVUkwACgkQQarn3Mo9
g1E3Jw/+LQa+kkWkHW9ep2MZ978e71mqgk4Ce9SjKysfrkSHfdh1dKCf/OX0BWe4
2EfsDIFm9ATWt5sW6oWFe/At3UxByKs40WeeIqZvpzEJlLv/9uY6W8T3dhaflYqj
GVP7gwk+D9l9lFdnxKhX5rfyJOt5CGyMJA4Q9NoDv+7MwCuFyWYgovphOib9Hfcc
PKj3+2HWUbbfycK7MfiXS0FaHrWJOdeqcTk14t0m/JVjimJ3OY2XWSYksNKPhpCE
RgjRqWChB2UKWBg9z0mYweloFQluc04UN+KTnyYyoASehr76v+HCdApnIhBoIXXd
B+/6sFzWDN5j8NTiuAt6fl44tUYCV9rYvrGoDFrESy1g26NZxla+cXuU1S+6Uii2
BVwx9WCAelvAIeP9PYIFhzb8nQW9LxaJEz3qEm6POrZIedzdeV0cPlSE635LZ5Py
FXOvygYABOHUa/FXUBZpS4jbsGJEBGqjcWPF7sMyHGt06xKcTpsppEYUlOb6/sxf
FG48UvSf+n9s/PEIh1ldG3mmoXoC9eTvm+P5kaSG21JA+KbkT2RylR5ujzYPv8/Q
/Q8u6dA7p5+Av65oqpb3k+ItMm2yPNhzfro7Co5FC6OAaIL3tCKyKD+uLDggOmkh
dLyg42y8wzGmH+Fp3dgjC26sxtgaILtUezLjqKr5ugUFL9vN5rs=
=falG
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 27 Jul 2017 14:25
control message for bug #27463
(address . control@debbugs.gnu.org)
87shhi3w3q.fsf@gnu.org
tags 27463 security
Z
Z
zimoun wrote on 14 Nov 2019 17:22
Bug #27463 Hunting: OCaml CVE-2017-9772
CAJ3okZ13eoBcSC+rPOhMfZ6nCQRbGbSGROjikCUSeSQV-XAKaw@mail.gmail.com
Dear,

This bug was opened for Ocaml version 4.02 and 4.01, then Debian said
it affects version 4.04 and today (two years later) the version is
4.07. Does this security still make sense?

If yes, please indicate me what can I do to proceed: apply the
security patch and close the issue.
If no, I plan to close this bug.


Thank you in advance for any comments.

All the best,
simon

J
J
Julien Lepiller wrote on 14 Nov 2019 18:23
1BA7F507-8EF5-4F79-A921-965CF141BC27@lepiller.eu
Le 14 novembre 2019 17:22:41 GMT+01:00, zimoun <zimon.toutoune@gmail.com> a écrit :
Toggle quote (18 lines)
>Dear,
>
>This bug was opened for Ocaml version 4.02 and 4.01, then Debian said
>it affects version 4.04 and today (two years later) the version is
>4.07. Does this security still make sense?
>
>If yes, please indicate me what can I do to proceed: apply the
>security patch and close the issue.
>If no, I plan to close this bug.
>
>
>Thank you in advance for any comments.
>
>All the best,
>simon
>
>https://debbugs.gnu.org/cgi/bugreport.cgi?bug=27463

Closing as the security issue does not apply to our OCaml version.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 27463@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 27463
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch